07-26-2019 04:50 AM
Hello,
i had given the following problem.
LAN<->Switch_Branch_Office[HP]<->CE Router_Branch_Office[Cisco]<->MPLS<->Radiusserver_ClearPath_Datacenter[HP]
I am owning the CE Router, and the MPLS. So HP Switch and Radius are owned by the customer.
The customer wants to authenticate not only the pc ( Supplicants ) but also the CE Router with his Radius server. ( Government Rule )
The Problem in my Head is, that when i enable a 802.1x Supplicant on the Router(cisp client) to authenticate against the HP switch (Authenticator) the Radius IP lies behind the Interface that has to be authenticated. ( will not succeed )
So in my opinion there is only the possibility of a local fallback of the hp switch with local EAP-TLS. The question is, is this somehow possible to authenticate a L2 Access/Trunk with SVI or subinterface port or a Routed Port from the switch to the router, without using the Radius server ? Like some MACSec, between pure cisco devices ?
Best regards,
Robert
07-26-2019 08:53 AM
I've moved your discussion to Routing as the only Cisco element in your network is a router.
As both the switch and the RADIUS server is of HP, I would suggest you to check with HPE support resources if you have not done so already. The MacSec has some potential but you need to verify whether the switch and the router have compatible support.
07-26-2019 11:17 AM
ok, thank you. maybe someone has a hint for me. best regards, robert
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide